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ABSTRACT 

Symbolic Pathfinder (SPF) combines symbolic execution with 
model checking and constraint solving for automated test 
case generation and error detection in Java programs with 
unspecified inputs. In this tool, programs are executed on 
symbolic inputs representing multiple concrete inputs. Val- 
ues of variables are represented as constraints generated 
from the analysis of Java bytecode. The constraints are 
solved using off-the shelf solvers to generate test inputs guar- 
anteed to achieve complex coverage criteria. SPF has been 
used successfully at NASA, in academia, and in industry. 

Categories and Subject Descriptors 

D.2.5 [Software Engineering]: Testing and Debugging — 
Symbolic Execution 

General Terms 

Reliability, Verification 

Keywords 

Automated test case generation, program analysis 

1. INTRODUCTION 

Symbolic execution is a popular analysis technique that 
executes a program on symbolic, rather than concrete, in- 
puts and it computes the program effects by manipulating 
expressions in terms of these symbolic inputs. Symbolic ex- 
ecution [6] was introduced in the 70s, but only recently has 
found wider applicability in practice due to the availability of 
new powerful decision procedures (necessary for manipulat- 
ing symbolic expressions) and increased computation power. 

We present Symbolic Pathfinder (SPF)-a tool for per- 
forming symbolic execution of Java bytecode. SPF han- 
dles inputs and operations on booleans, integers, reals, and 
complex data structures with a polymorphic class hierarchy. 
It handles preconditions as well as multi-threading. Fur- 
thermore, SPF supports a mixed mode execution [7] that 
combines concrete and symbolic execution. SPF also offers 
preliminary support for String and bit-vector operations. 

SPF has been used at NASA [7], to uncover subtle bugs 
in flight software, in academia, to aid in various research 
projects, and in industry, more recently at Fujitsu, to test 
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web applications with over 60,000 SLOC. By solving the 
symbolic input constraints for various coverage obligations, 
SPF can been used as a customizable test generator. The 
user can specify different code coverage metrics (e.g. MC/DC), 
she can customize the search strategy for generating test 
cases, and she can save the tests in different formats, such 
as HTML tables or JUnit tests. Furthermore, SPF has 
been used to generate counterexamples to safety properties 
in concurrent programs with unspecified inputs [8] and for 
proving light-weight properties of software. SPF is a freely 
available open-source project [4]. 

Related Tools Unlike our previous work [1, 5], SPF does 
not require a program instrumentation and a type-based 
analysis, and hence it is more efficient. Bogor/Kiasan [2], 
unlike SPF, does not separate between concrete and sym- 
bolic data, hence it can not support mixed concrete/symbolic 
execution. Furthermore, it can not handle complex Math 
constraints. Also related are concolic tools [9, 3], which per- 
form a form of symbolic execution along concrete program 
paths. The tools work by program instrumentation and do 
not handle multi-threading systematically. 

2. TOOL DESCRIPTION 

SPF is part of the Java PathFinder verification tool-set [4]. 
Java Pathfinder includes JPF-core, an explicit-state model 
checker, and several extension projects, one of them being 
SPF (jpf-symbc Java project). The model checker consists 
of a an extensible custom Java Virtual Machine (VM), state 
storage and backtracking capabilities, different search strate- 
gies, as well as listeners for monitoring and influencing the 
search. JPF-core executes the program concretely based on 
the standard semantics of the Java. 

In contrast, SPF replaces the concrete execution semantics 
of JPF-core with a non-standard symbolic interpretation. 

SPF relies on the JPF-core framework to systematically 
explore the different symbolic execution paths, as well as 
different thread interleavings. To limit the possibly infi- 
nite search space that results from symbolically executing 
programs with loops or recursion, a user-specified depth is 
provided. We describe SPF’s features below (see Fig. 1). 

Instruction Factory and Attributes SPF replaces the 
standard concrete execution semantics by using a Symbol- 
icInstructionFactory, that extends the bytecode instruc- 
tions to manipulate symbolic values and expressions. For ex- 
ample, when adding two symbolic integers symi and sym 2 
(by executing the IADD bytecode) the result is a symbolic 
expression representing symi + sym 2 - 

Storage of symbolic values and expressions is accomplished 
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Table 1: SPF Results 


that capture the calls to the j ava . lang . Math libraries and 
dispatch them to an appropriate constraint solver that can 
handle complex Math constraints. The same mechanism is 
also used for capturing String operations. 

Symbolic Listeners The listeners gather and display in- 
formation about the path conditions generated during the 
symbolic execution. They generate test cases and sequences 
in various formats. 


Figure 1: Architecture and features of SPF 

by assigning symbolic attributes to variables, fields and stack 
operands. The attributes are not part of the (concrete) pro- 
gram state and thus it is possible to use both concrete and 
symbolic values during the same execution [7]. This can 
be used, for example, to first perform a concrete execution 
of the program to reach a ’’suspicious” state, from which 
point on one can perform a detailed symbolic execution to 
stress that state [7]. Furthermore, it allows for easy exten- 
sion with other analyses that maintain both concrete and 
symbolic data such as concolic execution [3]. 

Branching Conditions The symbolic execution of con- 
ditional instructions (if statements) involves exploration of 
paths corresponding to the predicate at the branch evalu- 
ating to true and false. Both choices are generated non- 
deterministically by the PCChoiceGenerator. Each gener- 
ated choice is associated with a path condition encoding the 
condition or its negation respectively. The path conditions 
are checked for satisfiability using off-the-shelf decision pro- 
cedures or constraint solvers. If the path condition is satisfi- 
able, the search continues; otherwise, the search backtracks 
(meaning that branch is unreachable). 

Decision Procedures/Constraint Solvers SPF uses 
multiple decision procedures and constraint solvers through 
a generic interface. Currently, SPF supports: choco for in- 
teger/real constraints, cvc3 for linear constraints, and the 
interval arithmetic solver IASolver. Adding support for ad- 
ditional constraint solvers such as HAMPI and YICES is work 
in progress. 

Handling Input Data Structures SPF uses lazy ini- 
tialization [5] to handle unbounded input data structures. 
The execution starts on data structures with un-initialized 
fields and it initializes them lazily, when the fields are first 
accesed. A field of class T is initialized non-deterministically 
to (1) null, (2) a reference to a new instance of class T with 
uninitialized fields, or (3) a reference to an object of type T 
created during a prior field initialization; this sytematically 
treats aliasing. The HeapChoiceGenerator is used to gener- 
ate the choices. We have recently extended SPF to provide 
support for polymorphism. Step (2) above is replaced with 
non-deterministically assigning new instances of class T and 
of all the classes that inherit from T. Similarly, step (3) is 
replaced with assigning previously created objects to class 
T and objects from classes that inherit from T. 

Handling Math Functions SPF uses JPF-core’s native 
peers mechanism to model native libraries and any other 
program parts that cannot be analyzed directly with sym- 
bolic execution. Most notably, SPF incorporates native peers 


3. RESULTS AND CONCLUSIONS 

Table 1 gives the resources consumed for using SPF to 
detect two deadlocks and race-condition in the Vector class 
in the JDK 1.4 library [8]. 

We presented Symbolic Pathfinder, a symbolic execution 
tool for automatic test case generation and error detection 
in Java programs. Although effort was put in optimizing 
the code, the tool suffers from scalability issues due to the 
exhaustive nature of the analysis it performs and the con- 
straint solving involved. Towards this end, we are working 
on parallelizing SPF [10] . 
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